All We Can cares deeply about the safety and security of all its supporters. We were recently notified by Blackbaud, one of our third-party software providers, of a security incident which has affected data stored by All We Can, and a number of other charities across the US and UK who use Blackbaud’s services. Blackbaud is a software company, whose database platform All We Can uses to manage our relationships with supporters, churches, and other stakeholders.
Please note, All We Can has been assured by Blackbaud that credit card information, bank account details, and passwords were not accessed in this security incident. All We Can does not store this information in Blackbaud’s systems. Blackbaud are confident that the data accessed during this incident has now been destroyed. There is no reason to believe that any data went beyond the cybercriminal involved in this incident, that the data accessed was or will be misused, or will be disseminated or otherwise made available publicly.
The full details of the breach, including steps All We Can and Blackbaud are taking to protect your data and prevent an incident like this from happening again, are detailed below.
On July 16, Blackbaud notified us of a security incident. At this time, we understand they discovered and stopped a ransomware attack. After discovering the attack, the Blackbaud’s Cyber Security team—together with independent forensics experts and law enforcement— successfully prevented the cybercriminal from blocking their system access and fully encrypting files; and ultimately expelled them from their system. Prior to locking the cybercriminal out, the cybercriminal removed a subset of data containing the personal information of a number of All We Can supporters, along with data from several other organisations. Blackbaud have informed us that this occurred at some point beginning on 7 February, 2020 and could have been in there intermittently until 20 May, 2020.
What Information Was Involved
As aforementioned, it’s important to note that credit card information, bank account details, or passwords were not accessed in this attack. This information is not stored by All We Can on Blackbaud’s systems. However, we have determined that the data subset removed may have contained contact information (for example name, address, email and phone number) and your history of giving to All We Can, including donation dates and amounts, and whether any donations were made via a Church, Circuit or District. Because protecting supporter data is a top priority of both Blackbaud and All We Can, Blackbaud paid the cybercriminal’s demand with confirmation that the copy of the data they removed had been destroyed. Based on the nature of the incident, their research, and third party (including law enforcement) investigation, there is no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
What We Are Doing
We are notifying you so that you can take immediate action to protect yourself. Ensuring the safety of our supporters’ data is of the utmost importance to us. All We Can have informed the Information Commissioner’s Office of this breach, notified the Charity Commission, and continue to work with Blackbaud to monitor the situation. We are also taking this opportunity to review the security of our other systems.
As part of their ongoing efforts to help prevent something like this from happening in the future, Blackbaud have already implemented several changes that will protect your data from any subsequent incidents. Blackbaud’s teams were able to quickly identify the vulnerability associated with this incident, including the tactics used by the cybercriminal, and took swift action to fix it. Blackbaud have confirmed through testing by multiple third parties, including the appropriate platform vendors, that the fix can withstand all known attack tactics.
What You Can Do
As a best practice, we recommend you remain vigilant and promptly report any suspicious activity or suspected identity theft to us and to the police.
Please read this article from Citizens Advice for more general guidance on staying safe online and avoiding scams. If you receive any communication from All We Can that you are unsure about, please call us on 020 3758 7700.
For More Information
We sincerely apologise for this incident and regret any inconvenience it may cause you. Should you have any further questions or concerns regarding this matter and/or the protections available to you, please do not hesitate to contact All We Can on 020 3758 7700 or email Katie Kurilecz, our Direct Marketing and Supporter Care Manager directly on firstname.lastname@example.org.
Update 6 November 2020
After notifying the Information Commissioner’s Office (ICO) of this incident, we have received confirmation that they believe the evidence demonstrates All We Can took appropriate due diligence in sourcing a reputable data processor, and no action against All We Can will be taken by the ICO.